Efficient Drive forensics – and it’s free!

Slides:



Advertisements
Similar presentations
Intro to WinHex CSC 414.
Advertisements

Using Macros and Visual Basic for Applications (VBA) with Excel
Site Modules > Page Builder Access the Page Builder module through the Site Modules top navigation link. Access Page Builder from the Site Modules navigation.
The FAT File System CSC 414. Objectives  Understand the structure and components of the FAT (12/16/32) File Systems  Understand what happens when a.
Digital Forensics Module 11 CS /26/2004Module 112 Outline of Module #11 Overview of Windows file systems Overview of ProDiscover Overview of UNIX.
Guide to Computer Forensics and Investigations Fourth Edition
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
Connecting with Computer Science, 2e
Customizing Word Microsoft Office Word 2007 Illustrated Complete.
Wince File systems. File system on embedded File system choice on embedded is important –File system size can be an issue –Different media are used –
Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.
Objectives Learn what a file system does
Mastering Windows Network Forensics and Investigation Chapter 7: Windows File Systems.
Lecture 9: The FAT and VFAT Filesystems 6/16/2003 CSCE 590 Summer 2003.
© 2008 The McGraw-Hill Companies, Inc. All rights reserved. WORD 2007 M I C R O S O F T ® THE PROFESSIONAL APPROACH S E R I E S Lesson 21 Fields and Forms.
Website Development with Dreamweaver
MICROSOFT WORD 2007 INTERMEDIATE/ADVANCED. CREATE A NEW STYLE BASED ON A SELECTED TEXT HOME tab > STYLES group dialog launcher > at the bottom of the.
1.Getting Started 2.Modifying Design 3.Page 4.News 5.Events 6.Photo Gallery 7.Newsletter Index Training 15 th Mar., 2011.
Bits, Bytes, Files, Hard Drives. Bits, Bytes, Letters and Words ● Bit – single piece of information ● Either a 0 or a 1 ● Byte – 8 bits of information.
Windows NTFS Introduction to Operating Systems: Module 15.
Investigation of a USB Storage Device (FAT16)
Mike Mabey CSE 598 – Spring 2010Nishanth Kotha Venkata A Robot for Google Wave.
OPERATING SYSTEMS Frans Sanen.  Analyze a FAT file system manually  FAT12 first and simplest version  Still used on smaller disks (e.g. floppies) 
Double –Click on the Netscape Icon on your desktop The following are a series of steps to help you get started with Netscape Composer.
6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Creating RTF Templates by Using Template Builder.
Microsoft PowerPoint Prepared by the Academic Faculty Members of IT.
Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.
Getting Started in Access 1 Using an existing Database Database Window Table Design View Parts of a Table Views in Access Navigating in Access Entering.
Welcome To: Word Day 1 With Your Instructor: Cara Clifford Class will start at Approximately 8:05 AM.
Copyright 2007, EMC Paradigm Publishing Inc. WINDOWS VISTA BACKNEXTEND 1-1 LINKS TO OBJECTIVES Starting Windows Using the Taskbar, open & switch programs.
Day 28 File System.
ICE Integrated Cloud Environment Cloud Scanning and Mobile Printing
Core ELN Training: Office Web Apps (OWA)
Microsoft Access 2007 – Level 2
CONTENT MANAGEMENT SYSTEM CSIR-NISCAIR, New Delhi
IBM Rational Rhapsody Advanced Systems Training v7.5
Chapter Lessons Start Adobe Photoshop CS
Download/Upload Receipts
Holdings Management Overview
Windows XP File Systems
Cataloging introductory flow
Introduction to Computers
Basic Computing for Teachers
CONFIGURING HARDWARE DEVICE & START UP PROCESS
Test Information Distribution Engine (TIDE)
Microsoft Excel 2007 – Level 1
Download Orders, Shipments, and Receipts
Data Visualization Web Application
Booting Up 15-Nov-18 boot.ppt.
Upload/Download Receipts
MODULE 7 Microsoft Access 2010
Chapter 3: Windows7 Part 3.
Download Orders, Shipments and Receipts
FILE SYSTEM ANALYSIS Dr Fudong Li
Test Information Distribution Engine (TIDE) Training
InnovationQ Plus Quick Start Guide
Benchmark Series Microsoft Word 2016 Level 2
Chapter Overview Operating System Basics
Modern PC operating systems
Emily Grotta & Susan Harris Last Updated: May 3, 2018
Disk Structure Analysis
bitcurator-access-webtools Quick Start Guide
Sector 25 from the Root Directory (in 32 byte chunks)
Guidelines for Microsoft® Office 2013
Partitioning & Formatting
Department of Computer Science
Microsoft Access Tips and Tricks
FAT File System.
Causes And Solution To Recover Lost Partition Table.
Presentation transcript:

Efficient Drive forensics – and it’s free! Active@ Disk Editor Efficient Drive forensics – and it’s free! Prepared by Edward Webber

Reasons to use it: Where to find it http://www.disk-editor.org/download Reasons to use it: Completely free Regular updates Has partner file recovery app Eliminates data location calculation errors Reduces time to find data Automatically translates data for multiple file systems into user-readable format

Main features More than a basic hex editor

features overview Drive Support Template Driven Data Displays Hard disk drives SSD & USB Disks Partitions & Volumes Files Template Driven Data Displays Drive Images Support vmWare dd images MS Virtual PC DIM support (disk image + metadata) Hyperlinks For example: MFT records link to first cluster in data run MBR links to partitions. Built-in File Editor All features are self-contained No plug-ins needed

Alternative: Hex workshop Drawbacks: $90 per seat No updates in two years Lacks modern interface Steep learning curve No block hyperlinking No file system templates Manual sector calculations Must rely on bookmarks Wall of hex

Disk editor vs. Hex workshop Feature DE HW Maximum file size Partial file loading Disk sector editing Bit editing Text editor Insert / Delete bytes Bit Shifting Search Unicode N/A YES NO NO* Feature DE HW File structure view Hi-res Support File Compare Find in Files Bookmarks Macro Data inspector Auto-Highlighting YES NO NO*

Which would you choose? Color coded. Modern interface. Wall of Hex. UI from the 80’s.

Find the Total Sectors: Disk Editor 6 Find the Total Sectors: Where is it located? What’s the value? (8 bit? 16 bit? Signed?) MFT cluster number? Hyperlinked

Find the Total Sectors: Hex workshop 6.8 Find the Total Sectors: Where is it located? What’s the value? (8 bit? 16 bit? Signed?) MFT cluster number?

Forensics problem 1 Sampling the power of disk editor

Forensics problem 1 3/30/2016 4:59 PM Open Active@ Disk Editor 3/30/2016 4:59 PM Select “open disk image” 3/30/2016 5:00 PM Select “All files” from the extension dropdown menu and open FP1.dd

Forensics problem 1 3/30/2016 5:01 PM Click the “Find” icon, enter “pw” in the search field 3/30/2016 5:02 PM If not selected, select the “Find Results” tab in the lower left.

Forensics problem 1 3/30/2016 7:28 PM Select “‘pw’ Down; Match case (1 hits)”, then select “pw=goodtimes” 3/30/2016 7:31 PM Password is hidden within the RAM slack of “Cover page.jpg” image file. Should appear as “pw=goodtimes” in sector x2156 (8,534) at offset x40-4B (64-76)

Project 5.2 – file entry metadata Where disk editor shines (and hex workshop nightmares begin)

specific files C5Prj02.txt Contents: “A slip of the foot you may soon recover, but a slip of the tongue you may never get over. Drive thy buisness or it will drive thee. An investment in knowledge always pays the best interest.”

Organized metadata structure File metadata Fully highlighted Organized metadata structure Attribute sections 10 30 80

File metadata – mac times No guessing No math No losing your place in a sea of hex No human error At-a-glance results

File previews Many formats supports Word RTF Excel CSV Text JPG BMP TIFF PNG

FAT32/USB File System Evaluation Where disk editor shines (and hex workshop nightmares continue)

FAT32/USB File System Evaluation Switch between Hex / Dec? One mouse click FAT32 Boot Sector Automatically highlighted and parsed

FAT32/USB File System Evaluation Root directory entry Where is it? Do the math: Sectors per FAT: 1,955 Number of FATs: 2 1955 x 2 = 3,910 Reserved sectors: 4,282 4,282 + 3,910 = 8,192 Bytes per sector: 512 Sectors per cluster: 8 Root cluster: 2 512 x 8 x 2 = 8,192

FAT32/USB File System Evaluation FAT32 Boot Sector Boot sector validator Checks for out of spec values

Did I mention FREE? Summary Active@ Disk Editor 6 Quick shortcuts to content Clickable hyperlinks to relevant sectors FREE! Easy file editing Easy to learn Minimal training required Did I mention FREE? Prevents hex reading mistakes Little endian, Big endian – All automatically calculated

Active@ Disk Editor Questions? http://www.disk-editor.org/download Presentation by: Edward webber

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.